Just 35 Percent of Responding Organizations Are GDPR-compliant With EU Data Privacy Rules

NEW YORK, Aug. 6, 2018 — The European Union (EU) General Data Protection Regulation (GDPR) took effect May 25, 2018, yet only 34.5 percent of nearly 500 professionals involved in GDPR compliance efforts say their organizations can defensibly demonstrate compliance with the new data privacy rules today, according to a recent Deloitte poll.

Litigation, regulatory and internal investigation challenges could abound for others. One-third of respondents (32.7 percent) hope to be compliant within 2018. And, 11.7 percent plan to take a “wait and see” approach amid uncertainty over how EU regulators in various countries will enforce the new regulation.

“The fact that the GDPR effective date has come and gone and many are still scrambling to demonstrate a defensible position on GDPR compliance reflects the complexity and challenges as the world of privacy rapidly changes,” said Rich Vestuto, a Deloitte Risk and Financial Advisory managing director in discovery for Deloitte Transactions and Business Analytics LLP.

Third-party contract management for GDPR compliance Only 13.6 percent of respondents are confident that their organizations know what data third parties have and are leveraging artificial intelligence (AI) and other technologies to analyze and manage third-party contracts for GDPR compliance.

A majority (56 percent) aren’t done discerning what data third parties have or the potential implications of GDPR on third-party contract management. Some (10.2 percent) have yet to begin addressing third-party GDPR compliance at all.

Vestuto added, “Among the biggest GDPR compliance challenges is third-party contract management. Under GDPR, organizations are responsible for ensuring privacy protection of EU-regulated data shared with or used by vendors and service providers, which requires those organizations to know who their vendors are and precisely what data those third parties hold. Updating or renegotiating contracts and agreements may help ensure third parties are GDPR-compliant when using your organization’s EU-regulated data.”

Discovery challenges loom for 30 percentDiscovery will be harder for their organizations now that the GDPR is enforceable, according to 30.6 percent of respondents. Surprisingly, 18.6 percent expect discovery to actually become easier under GDPR. Some (17.2 percent) expect no change to their organizations’ discovery practices, as a result of GDPR taking effect.

“Even those professionals closely involved in GDPR compliance may not fully appreciate the implications the new rules may have for discovery related to regulatory inquiry responses, litigation and internal investigation proceedings—as well as other aspects of their businesses,” Vestuto cautioned.

Scalability is key as more jurisdictions add data privacy rulesNearly half of respondents (48.2 percent) say their organizations’ data privacy programs are scalable to address pending rules in other jurisdictions even if their immediate focus is GDPR. Also, 19.8 percent report that their organizations’ programs are focused solely on GDPR without scalability, potentially leaving them unprepared to deal with new rules elsewhere.

Vestuto concluded, “Other jurisdictions beyond the EU are enacting more stringent data privacy protections. Data privacy programs should be scalable and requirements rationalized on a global basis to ensure that organizations are able to address current and pending rules in various jurisdictions as needed.”

About DeloitteDeloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including more than 85 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to make an impact that matters — delivering measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to see challenges as opportunities to transform and thrive, and help lead the way toward a stronger economy and a healthy society. Deloitte is proud to be part of the largest global professional services network serving our clients in the markets that are most important to them.

Get in touch

Managing Director

Rich is a managing director and market offerings leader in the Discovery practice of Deloitte Transactions and Business Analytics LLP, specializing in providing leading practice guidance and other tec... More

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.